Jump to content

Nod 32 -question about HIPS


novice
 Share

Recommended Posts

Hi,

 

Is anyone using HIPS in "Interactive mode"?

 

Seems to be overly complicated (just to open my home page "Google" I had to answer around 10-12 pop-ups from HIPS) 

 

The interactive mode, to be practical, should have a set of general rules and the user should answer only to a limited number of pop ups.

 

In "Automatic Mode" I never had any indication that the HIPS is alive somehow....

 

For some reason I have the feeling that the HIPS module is just a fancy thing doing nothing

 

I may be wrong but without a way to test HIPS, it is difficult to say what is doing there....

Edited by novice
Link to comment
Share on other sites

  • Administrators

Use Smart mode which is actually interactive mode that asks you only about very suspicious actions. HIPS is not meant to be used in interactive mode. Its part is Advanced Memory Scanner, Exploit Blocker as well as Self-defense, all of which are crucial protection modules that substantially improve protection capabilities without user's interaction.

Link to comment
Share on other sites

The interactive mode, to be practical, should have a set of general rules and the user should answer only to a limited number of pop ups.

I will also add that interactive mode should only be used after learning mode has been used for a number of days. This will allow the HIPS to auto create rules for all your existing OS and application processes. The default learning time is 14 days. I believe that is a bit excessive. Three days or so should do the trick. While learning mode is enabled, make sure you open and run all your applications so the HIPS creates rules for those. After the learning period has expired or manually, use can switch to interactive mode. At that point, you will only receive HIPS alerts for processes not run during the learning period. Additionally learning mode can be switch on when installing a new application - note the below caution.

 

Caution: Learning mode should only be enabled on a PC that is 100% malware free. Any existing malware will also be "learned" and HIPS allow rules created for the same. The best time to use learning mode is immediately after the OS has been installed.

 

Finally, running the HIPS in interactive mode is only recommended for experienced users that have the training to differentiate valid process activity from malware based activity. Without this type of training there is a high likelihood that the user will adversely affect valid process activity and worse, allow malware activity.

Edited by itman
Link to comment
Share on other sites

Use Smart mode which is actually interactive mode that asks you only about very suspicious actions. HIPS is not meant to be used in interactive mode. Its part is Advanced Memory Scanner, Exploit Blocker as well as Self-defense, all of which are crucial protection modules that substantially improve protection capabilities without user's interaction.

Hi,

 

Thank you for your answer!

 

I switched HIPS to Smart Mode; is there anything I can do (delete/create/ modify/ download/upload) to trigger a HIPS alert in this mode?

 

Thanks!

Edited by novice
Link to comment
Share on other sites

Hi,

Me again!

With HIPS in Smart Mode, I went to Windows/System32/Drivers and I randomly picked a driver and I was able to delete it without any warning !

Is that normal?

Link to comment
Share on other sites

  • Administrators

Hi,

Me again!

With HIPS in Smart Mode, I went to Windows/System32/Drivers and I randomly picked a driver and I was able to delete it without any warning !

Is that normal?

 

If you didn't delete an ESET driver protected by Self-defense, then it's normal. Why ESET should prevent removal of drivers and thus also legitimate uninstallation of various software that utilizes drivers?

Link to comment
Share on other sites

If I try to delete an ESET item (ecmd.exe for example) I get the following message, which doesn't seem to be HIPS related:

 

post-1289-0-46992000-1468454934_thumb.jpg

 

 

My question is: what do I have to do to trigger a HIPS pop-up in "Smart mode", for testing purpose????

 

Thanks!

Link to comment
Share on other sites

If I try to delete an ESET item (ecmd.exe for example) I get the following message, which doesn't seem to be HIPS related:

 

attachicon.gifUntitled.jpg

 

 

My question is: what do I have to do to trigger a HIPS pop-up in "Smart mode", for testing purpose????

 

Thanks!

Create your own "User rule:" allow, block, or ask mode rules. They will also be executed along with the Eset default Smart mode HIPS rules. All Eset default HIPS rules have precedence over any user rules.

Link to comment
Share on other sites

Hi itman,

 

maybe I was not clear in my request;

 

I have HIPS in Smart mode;  in this mode HIPS is supposed to protect something (I do not know what); I want to simulate a malicious behavior (delete something) to trigger a HIPS alert , while in Smart Mode.

 

I had HIPS in "Automatic Mode' and I never got any alert (HIPS related) in more than 3 years (How do I know is working????)

 

Thanks

Link to comment
Share on other sites

  • Administrators

I had HIPS in "Automatic Mode' and I never got any alert (HIPS related) in more than 3 years (How do I know is working????

 

For instance, you shouldn't be able to delete ESET's binaries or kill ESET's processes.

Link to comment
Share on other sites

Hi itman,

 

I had HIPS in "Automatic Mode' and I never got any alert (HIPS related) in more than 3 years (How do I know is working????)

My observation of the default Smart mode HIPS rules are that certain registry areas  and Win directories are protected for example. Also the default rules are not always "full" block or allow rules. If you look in the HIPS log, you will see entries with the wording "some actions were partially allowed or blocked." I believe when these are encountered, no HIPS alerts are generated since the activity was automatically handled by the HIPS.

 

Overall I will say that the HIPS in Auto or Smart mode is designed to protect Eset processes, prevent exploits, and detect malware post execution memory modification attempts of critical processes.

Link to comment
Share on other sites

"...Overall I will say that the HIPS in Auto or Smart mode is designed to protect Eset processes, prevent exploits, and detect malware post execution memory modification attempts of critical processes."

 

Well, sounds nice, but would be even better if we, the regular users can test this, somehow.

 

Otherwise is simply "believe and do not doubt"

 

Amen!

Link to comment
Share on other sites

Well, sounds nice, but would be even better if we, the regular users can test this, somehow.

 

You can test using the old Comodo Leak Test that can be downloaded here: hxxp://www.testmypcsecurity.com/securitytests/firewall_test_suite.html

 

For starters, I don't even know if this will run under Win 10. I know it runs under Win 7 and I assume Win 8. If you get any Eset HIPS alerts at test startup, you will have to allow clt.exe to run since it executes all the individual tests.

 

Note the following about this test. It was written to run under XP and Vista. It's a 32 bit process and all the tests are for the same likewise. So if you are running a 64 bit Win ver., a few tests will auto fail or not be properly executed. For example, the global hooking test will fail since you can't inject a 32 bit .dll into a 64 bit process - at least directly.

 

If I recall correctly your score will be around 210/340 with Eset's HIPS Smart mode enabled with no custom user rules added. Remember that this is a leak test and was written specifically to configure Comodo's firewall and HIPS - Defense+. I have been able to achive a 100% score with it but I have numerous HIPS user rules as additions to the default Smart mode rules.

Link to comment
Share on other sites

Hi,

 

Did the test;

first with Nod32 v9 and PC tools Firewall Plus the score was 190 from 340 and NO ALLERTS FROM NOD 32 HIPS

second, with NOD 32 disabled for 10 min, only PC Tools Firewall active : score 220 from 340 ; so performed better with NOD 32 disabled!!!!!

 

 

 

post-1289-0-74727000-1468796637_thumb.jpg

Link to comment
Share on other sites

Hum ........... I have no explanation as to why you would fail the "explorer as parent" test w/NOD32 HIPS enabled. What the test does: 

 

23. Impersonation: ExplorerAsParent
 
What does it do ? Tries use explorer.exe to connect to the Internet.
What is the risk ? Firewalls may miss the real applications behind the internet connection requests.

 

A good example of this is CCleaner that does like activity. Appears to me that NOD32 is somehow "masking out" the explorer.exe activity to the PC Tools firewall and only showing to it the source process as the origin of the outbound Internet connection? I use Smart Security and I had to create custom HIPS rules for explorer.exe e.g. process startup to pass this test.

 

As far as the rest of the test failures those are all HIPS related. All the tests you passed are firewall related. Hence the reason why you received no NOD32 HIPS alerts. The reason why the HIPS does not protect those areas? The user would receive constant alerts for many system process activities plus system or application modification as a result of Win Updates or application installation/modification. The Eset HIPS does not have  "Windows Update" or "Trusted Installer" modes that can be enabled when like activity is being performed as does Comodo's Defense+. 

 

BTW - I would dump PC Tools firewall since it hasn't been supported in years and upgrade to Smart Security.

 

-EDIT- Reviewing your Comodo Leak Test results again, there are a number of tests you should have received a HIPS alert on. Go into Eset "advanced settings" as shown below and ensure you have the display alerts setting enabled.

 

post-6784-0-89070700-1468961130_thumb.png

 

 

Edited by itman
Link to comment
Share on other sites

Hi itman,

 

Thank you for your perseverance in finding an answer to this issue.

 

I have the "Display notifications on desktop" enabled, yet no notifications from HIPS.

 

I asked the same question on DSL reports and it seems like the consensus is that HIPS doesn't do much, at best.

 

https://www.dslreports.com/forum/r30875931

 

Anyway , if you can find a way to trigger a HIPS alert in "Smart Mode" let me know.

 

Thanks,

Claudiu

Link to comment
Share on other sites

Hi itman,

 

Thank you for your perseverance in finding an answer to this issue.

 

I have the "Display notifications on desktop" enabled, yet no notifications from HIPS.

The setting you need to check is for being enabled is "display alerts."

 

post-6784-0-52379900-1468968317_thumb.png

 

Edited by itman
Link to comment
Share on other sites

OK. To resolve this, I disabled all my custom rules and ran the Comodo Leak Test. Low and behold, I also did not receive any alerts from the HIPS in Smart mode. Then "the light came on" in my head.

 

If you select, "Tools" then "Running Processes," you will note that clt.exe is running as a trusted process per LiveGrid prior reputation lookup and prior AV signature and heuristic scanning. As such, the HIPS will allow the process to run but only allow certain behavior based on its process status privileges. Since clt.exe is an application process, it is only allowed to perform certain activities versus system processes that can do all activities. Disallowed behavior in Smart mode is silently blocked but no alert is generated since the process is trusted. In contrast if clt.exe was an unknown and therefore untrusted process i.e. malware, you would receive an alert from the HIPS in Smart mode.  

 

To my knowledge there is no way to "untrust" a process as far as the HIPS is concerned. The only way you can get HIPS alerts in Smart mode for clt.exe is to create a user "block" or "ask" rule for it with the following settings:

 

1. checkmark "notify user"

2. in the source application area, add by file the location of clt.exe.

3. checkmark "Use for all operations" for the following settings; Target files, Target applications, Target registry.

 

The bottom line is that the HIPS Smart mode is not designed to alert the user for a misbehaving trusted process. However if you select "log all blocked operations" in the advanced HIPS options section, you can see all activity the HIPS blocked. Eset does not recommend that setting be permanently enabled since the HIPS log will be rapidly filled up with entries.

 

-EDIT-

 

I actually changed the code of a renamed version clt.exe by adding one byte to it using a hex editor I have. This resulted in it being untrusted to Eset due to hash change. Running this altered program, I did get alerts from the HIPS in Smart mode but only for registry modifications. All the other HIPS block activity was done silently. Go figure.

 

BTW - I did get a score of 240/340 using Smart Security ver. 8. The best effective score for CLT is 310 since the two global hooking plus the unknowndlls tests are N/A for 64 bit OSes. So an approx. 80% score is a very good result for Smart mode. The test failures were for the most part due to the fact the HIPS does not write protect the Window directories. Nor does it protect the service registry keys. Protecting these would result in a number of user alerts when Win updating or app install/modification occurs. Nor does Smart mode protect against low level disk access; again due to the alerts that would be generated. Personally, I have user HIPS rules for all of these.

 

post-6784-0-56142800-1469032003_thumb.png

Edited by itman
Link to comment
Share on other sites

There is one area that Eset needs to create additional default HIPS Smart mode rules; that is for DDE impersonation. I pass this CLT test with my custom user mode HIPS rules for Internet Explorer:

 

24. Impersonation: DDE
 
What does it do ? Tries to use Direct Data Exchange (DDE) to control IE's behavior and transfer data to the Internet server

 

What is the risk ? Firewalls can be bypassed and malicious files can be downloaded from the trusted browser process.

 

Additional reference: https://msdn.microsoft.com/en-us/library/windows/desktop/aa376391(v=vs.85).aspx

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...